A blog which tries to demystify computer security, point out the half-truths and misinformation which floats around about this subject and hopefully reduce the hype created by semi-informed people. It also has some useful tips from time to time.

First time here? I hope that you find something interesting and useful. Check out the most popular pages or the categories I most frequently post in:

Friday, June 13, 2008

Over the TaoSecurity blog you can find a good summary on the Bruce Schneier (nice poster btw) vs Marcus Ranum face-off regarding the ethicacy of vulnerability research (also read the comments, they are worth your time).

I fully agree with Bruce on this and think that Marcus is confusing two things: the act of finding the vulnerability and what you do after it. Just as law and justice are not the same thing (trivia: this is why Justitia, the roman god of justice is newer portrayed with a lawbook in her hands, although many people think this because they confuse it with the statue of liberty), vulnerability research and your disclosure method are not the same thing. Bruce Schneier summarizes nicely why it is important to have people who know how to break things:

When someone shows me a security design by someone I don't know, my first question is, "What has the designer broken?" Anyone can design a security system that he cannot break. So when someone announces, "Here's my security system, and I can't break it," your first reaction should be, "Who are you?" If he's someone who has broken dozens of similar systems, his system is worth looking at. If he's never broken anything, the chance is zero that it will be any good.

What you do with your knowledge (the main thing Marcus focuses on) is a separate thing. As long as you:

Try to contact the vendor/author first

Try to coordinate with them to make sure that the disclosure comes after the patch is available

Wait a reasonable amount of time before going public

Not sell/give information to people if their need for information is not well motivated (for example an IPS/IDS vendor)

I consider the action of disclosing a vulnerability (even with proof of concept code) ethical.